http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c1
Christian Boltz changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #1 from Christian Boltz ---
That's not a surprise - you'll need to extend the AppArmor profile if you want
to run custom scripts in/from dovecot.
For your specific case, edit /etc/apparmor.d/local/usr.sbin.dovecot and allow
to execute your postlogin script by adding this line:
/usr/local/bin/dovecot-postlogin.sh mrUx,
Then run rcapparmor reload to load the updated profile.
Note that "Ux" means to run dovecot-postlogin.sh unconfined (without AppArmor
restrictions). That's easy, but also the least secure variant.
If you want a more secure solution, run aa-logprof to allow executing the
postlogin script in "(P)rofile" mode (it will also create a minimum profile for
the script). Put the profile for the script into complain (learning) mode:
aa-complain /usr/local/bin/dovecot-postlogin.sh
and use dovecot for a while. Then run aa-logprof again to complete theprofile,
and finally switch it to enforce mode:
aa-enforce /usr/local/bin/dovecot-postlogin.sh
At this point, everything should work. (If you hit more denials, run aa-logprof
again.)
I'm afraid your requirement is too special for the official/shipped profile,
therefore I'm closing this bug as "wontfix". I hope the above helps you
nevertheless ;-) and if you need more help, feel free to ask.
--
You are receiving this mail because:
You are on the CC list for the bug.